Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotate osdCcsAdmin credentails on creation of each cluster #118

Merged
merged 1 commit into from
Nov 5, 2020
Merged

Rotate osdCcsAdmin credentails on creation of each cluster #118

merged 1 commit into from
Nov 5, 2020

Conversation

jharrington22
Copy link
Contributor

@jharrington22 jharrington22 commented Sep 25, 2020
edited
Loading

Rotate IAM access keys for the IAM user osdCcsAdmin user each time we use the client to create a cluster. There is no need to permanently store these credentials since they are only used on create, the cluster uses a completely different set of IAM credentials provisioned by this user.

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 25, 2020
@jharrington22 jharrington22 changed the title Rotate osdCcsAdmin IAM user credentials for each new cluster install Rotate osdCcsAdmin credentails on creation of each cluster Sep 25, 2020
@jharrington22
Copy link
Contributor Author

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 25, 2020
@jharrington22 jharrington22 force-pushed the remove-cloudformation-outputs branch 2 times, most recently from 9f72f8c to 853eac7 Compare September 25, 2020 12:58
@vkareh
Copy link
Member

vkareh commented Sep 25, 2020

I'm wondering what happens during moactl edit cluster, the credentials we used to create are stored in a secret in Hive, but will no longer be valid when calling the API...

@openshift-ci-robot
Copy link

@jharrington22: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/lint 7a6910a link /test lint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@jharrington22
Copy link
Contributor Author

/label tide/merge-method-squash

@openshift-ci-robot openshift-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Oct 15, 2020
@jharrington22 jharrington22 force-pushed the remove-cloudformation-outputs branch 2 times, most recently from 2b1cd81 to 420d605 Compare October 16, 2020 18:50
@vkareh vkareh mentioned this pull request Oct 26, 2020
Closed
@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 30, 2020
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 30, 2020
@jharrington22 jharrington22 force-pushed the remove-cloudformation-outputs branch 4 times, most recently from 5aeaf2b to 2859320 Compare November 2, 2020 16:51
vkareh
vkareh reviewed Nov 2, 2020
View reviewed changes
pkg/ocm/regions/regions.go Outdated Show resolved Hide resolved
@vkareh
Copy link
Member

vkareh commented Nov 2, 2020

Apart from my comment about GetRegions, this looks fine to me

vkareh
vkareh reviewed Nov 5, 2020
View reviewed changes
pkg/ocm/regions/regions.go Outdated Show resolved Hide resolved
vkareh
vkareh reviewed Nov 5, 2020
View reviewed changes
cmd/create/cluster/cmd.go Outdated Show resolved Hide resolved
@jharrington22
Copy link
Contributor Author

/hold cancel

@vkareh comments addressed, thanks!

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 5, 2020
@vkareh
Copy link
Member

vkareh commented Nov 5, 2020

/lgtm

Thanks @jharrington22! :)

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 5, 2020
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jharrington22, vkareh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [jharrington22,vkareh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit f0598fb into openshift:master Nov 5, 2020
vkareh added a commit to vkareh/rosa that referenced this pull request Nov 5, 2020
@vkareh
Release v0.1.1
7fc84e3 
- refactor(init): verify permissions for osdccsadmin using ValidateSCP
- machinepools: Support full CRUD operations for machine pools
- Added validation for name
- Added Details Page Link
- machinepool: Allow managing 'default' machinepool
- Rotate osdCcsAdmin credentails on creation of each cluster (openshift#118)
@vkareh vkareh mentioned this pull request Nov 5, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vkareh vkareh vkareh left review comments

@NautiluX NautiluX Awaiting requested review from NautiluX

Assignees

@vkareh vkareh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jharrington22 @vkareh @openshift-ci-robot @openshift-merge-robot